CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
tracking support for DCCP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntr
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntr
CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
connection tracking support for UDPlite protocol is built-in into
nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/
When netfilter needs to match traffic made by one of the above protocols,
layer-4 connection tracking functionality will not be available, unless the
user explicly loads it in the kernel (e.g. "modprobe nf_conntrack_proto_sctp")
or modifies the default kernel configuration and rebuilds.
In order to
In commit 1ffad83dffd6 ("netfilter: fix include files for compilation"),
compile-time errors were fixed for userspace programs including UAPI
nf_conntrack_tuple_common.h: this was done by adding a "#include
" line to that header file. This patch replaces
"" with ""
in nf_conntrack_tuple_common.h t
Since kernel 4.7 this defaults to off.
Signed-off-by: Florian Westphal
---
Documentation/networking/nf_conntrack-sysctl.txt | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/Documentation/networking/nf_conntrack-sysctl.txt
b/Documentation/networking/nf_conntrack-sysctl.
since 23014011ba420 ('netfilter: conntrack: support a fixed size of 128
distinct labels')
this isn't needed anymore.
Signed-off-by: Florian Westphal
---
include/net/netns/conntrack.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 63 ---
1 file changed, 29 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/ips
Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.
Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype allocation.
Ported from a patch proposed by Sergey Popovich
Hash types already has it's memsize calculation code in separate
functions. Clean up and do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_bitmap_gen.h | 11 ++
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --
Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.
Signed-off-by:
Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one. Explicitly note that
struct ip_set_skbinfo must be padded to prevent non-aligned
access in the extension blob.
Ported from a patch pro
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/net
Group counter helper functions together.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 42 +-
1 file changed, 21 insertions(+), 21 deletions(-)
diff -
The set full case (with net_ratelimit()-ed pr_warn()) is already
handled, simply jump there.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h
b/net/netfilter
Allocate memory with kmalloc() rather than kzalloc(): the string
is immediately initialized so it is unnecessary to zero out
the allocated memory area.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ip
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is inactive it will be activated).
Use setup_timer()
From: Tomasz Chilinski
Introduce the hash:ipmac type.
Signed-off-by: Tomasz Chili??ski
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/Kconfig | 9 +
net/netfilter/ipset/Makefile| 1 +
net/netfilter/ipset/ip_set_hash_ipmac.c | 315 ++
Remove redundant parameters nets_length and dsize, because
they can be get from other parameters.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --gi
From: kbuild test robot
net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in
function 'hash_ipmac4_data_list' with return type bool
net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in
function 'hash_ipmac6_data_list' with return type bool
Return sta
Cleanup: group ip_set_put_extensions and ip_set_get_extensions
together and add missing extern.
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h
b/include/l
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 51 +
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h| 2 ++
include/linux/netfilter/ipset/ip_set_bitmap
Cleanup to separate all extensions into individual files.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 95 +-
include/linux/netfilter/ipset/ip_set_cou
From: Eric B Munson
It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries. This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to u
Remove one leve of intendation by using continue while
iterating over elements in bucket.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 25 -
1 file changed, 12 insertions(+), 13 deletions(-)
Hi Pablo,
Here follows the new batch for nf-next: I addressed all your
concerns about the previous version.
Please review and consider to apply the patchset.
Thanks!
Jozsef
* Cleanup: Remove extra whitespaces in ip_set.h
* Cleanup: Mark some of the helpers arguments as const in ip_set.h
* Cleanu
Remove unnecessary whitespaces.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter/i
Mark some of the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 4 ++--
include/linux/netfilter/ipset/ip_set_comment.h | 2 +-
include/linux/netfilt
30 matches
Mail list logo
